Cisco Knowledge Network
Cisco Container Networking Overview and Roadmap
Nov 2017
Phil Lowden, Consulting Systems Engineer
What Is A Container?
Virtual Machine
Container
Containers vs VMs
Containers Virtual Machines
Shared resources Isolated resources
Lighter weight Full OS + application
Faster installation Several minutes to boot
No hypervisor Hypervisor-based
Linux and Windows No underlying OS
Microservices Monolithic
Why: New Application Architectures
microservices
monolithic apps
Monolithic Apps Cloud Native Apps
server / hypervisor server clusters, containers
dependencies easy upgrade
stateful microservices
waterfall development agile devops teams
Linux Containers
• .Group of processes on a Linux machine
• Isolated environment
• Linux system within another Linux system
• Inside the container, it looks like a VM
• Outside the container, it looks like normal processes running on the machine
Zones
7
Industry trends
What Is Docker?
What is Docker?
Docker is a software technology providing containers, promoted by the company Docker, Inc. Docker provides an additional layer of abstraction and automation of operating-system-level virtualization on Windows and Linux.
[Source: Wikipedia]
Docker is an open platform that helps companies build, ship and run their applications anywhere.
[Source: Docker, Inc]
Virtualization Technologies ComparisonDocker provides a unified access to:– Linux container technology (cgroups, namespaces)
– Various container implementations (lxc, libvirt, libcontainer, etc.)
‘libcontainer’ is Docker’s implementation of container technology
Why Docker Containers?
• Standardization of the container format
• Development of an ecosystem for sharing containers
Dockerhub
• Sign up for an account on dockerhub• Public repository of Docker images
• https://hub.docker.com/• docker search [term]
Docker+Cisco Partnership
+Stronger TogetherOpen Source community and technology partners to build solutions
Joint Engineering,Sales and Marketing
Docker Datacenter On FlexPod CVD
ContivNetwork Plugin
Docker Datacenter On Cisco UCS
What Is Docker Networking?
Docker Networking Architecture
Docker Engine
Service Discovery
Load Balancing
IP Address Mgmt(IPAM)
Remote Drivers
(Contiv, Calico, Weave)
Native Drivers(bridge, overlay, MACVLAN, IPVLAN)
Libnetwork(CNM)
API
Docker networking: single host versus multi host
VxLAN Overlay 10.0.0.0/24
Docker Engine Docker EngineDocker Engine
10.85.138.1010.85.138.10 10.85.138.11
Bridge(Docker0) Bridge(Docker0)
Docker Networking: MACVLAN Driver
Docker Engine
eth0
Eth0.100 Eth0.200
Existing network
VLAN 200192.168.128.0/24
VLAN 200192.168.129.0/24
VLAN 200192.168.129.10/24
VLAN 200192.168.128.10/24
What Is Contiv?
100% Open SourceThe Most Powerful Container Networking Fabric
L2, L3, Overlay or ACIRich Policy Model
DevOps IT Admin
Any NetworkingAny Platform
Any Infrastructure
Application Intent
Rich Policy
Connectivity
ACI integration
Container,VM,BM
LDAP/RBAC
What is Contiv
Production-Grade Network and Security Policies
Multi-Tenant, Multi-Host Network Connectivity
Network Security and Isolation
(White/Black List Rules)
Traffic Prioritization and Bandwidth Allocation
Network Monitoring (Live Connectivity Graphs and Stats)
Integration with External Network
(Cloud | Nexus | Cisco ACI)
Micro-Services Load Balancing
Integrated IPAM, Service Discovery
Performance and Scale
Available at https://github.com/contiv/netplugin
Contiv Integration with Cisco Products
Application-Centric Infrastructure (ACI)• Containers integrated with APIC policies
• Physical services integration
Nexus Standalone or Any Network• BGP interop (standard routing protocol)
• EVPN-based multi-tenancy and automation
Unified Compute Systems: B and C Series• Leveraging vNICs for control, data, management, and storage traffic
• Offload encapsulation function
Contiv Leverages Underlying Infrastructure Capabilities for Applications
Cisco Container Solutions
Cisco Integrated Infrastructure for Containers
Container and Microservices Solutions on Cisco UCS Integrated InfrastructureContainer and Microservices Solutions on Cisco UCS Integrated Infrastructure
Cisco UCS with Cisco UCS with Docker Datacenter 1.x
FlexPod with Docker Datacenter 2.x
FlexPod with Docker Datacenter 2.x
NetApp Docker Vol Plugin
Enterprise Ready
Design choices
Scalable Architecture
Jointly Engineered
Delivered by Partners
Cisco Container Solutions
• Infinite Video
• Mobile Evolved Packet Core (EPC)
• OpenStack Network Function Virtualization Infrastructure (NFVi) aka Project Mercury)
• Lindt (open network operating system)
• Virtual Managed Services (VMS)
• Digital Network Architecture Center (DNA-C) open, programmable architecture
• Installation Containers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ContainerScheduler
UI to Manage/Monitor Policies/Usage
Policy Enforcement in ACI fabric
Host based networking managed by Contiv
Policy created in Contivpushed to APIC
Node 1 Node 2 Node-n
CCN Distributed Policy Layer
...
Project Contiv and ACI
OperationsDevelopers
Contiv Enables Policy Based Distributed Container Networking
Available as Open Source
Project Contiv
• Provides policy-based container networking
• Multiple deployment options including overlay, L3, and ACI
• Integrates with multiple orchestration tools
• Support option to be made available from Cisco
• Learn more:• https://github.com/contiv
ACI + Kubernetes Integration
Docker Host (Linux)OVS
APIC Kubernetes Plugins
OpFlex Agent
OpFlex Proxy
Kubernetes Master
CNI Plugin
• APIC GUI integration / VMM Domain specifically designed for Kubernetes
• Visibililty / statistics / health metrics for containers
• OVS + OpFlex provides Docker host datapath
• Flexible mapping of Kubernetes into ACI policies
• Container teams set Kubernetes network policies
• Network team retains control of ACI policies for EPGs / contracts
• Distributed load balancing
• Symmetric PBR in ACI fabric for north south LB
• OVS + OpFlex for distributed east-west LB
ACI + Kubernetes Integration
KubernetesKubernetes is open source container mobility among on-premises, hybrid, or public cloud (“multicloud”) infrastructure, letting you effortlessly move workloads to where it matters to you
Solution Support for Contiv Open-source
• Our customers can rely on us to keep their container networking fabric environments operating
• Fewer physical network devices to manage and operate
• Easier to manage container networking services on demand
• Container automation of security and application policies
How We Help
• Container Networking Fabric
• Virtual Network Per Tenant
• Segment Per Microservice
• Network-based Service Routing
• Security Policies
Engineer Expertise
• Solution Support Service for Cisco Contiv Open-source
• Embedded Basic Support with Cisco Smart Account entitlement
• Supports container networking fabric interoperability from solution partners
What’s Unique
Service Provider Use Cases
Flexible Connectivity to Place Containers Anywhere
Native Connectivity
Infra Policy: [ Bridged | Routed ]
VLAN | IP (BGP) Handoff to Access Node
APP1 APP2APP3 APP4
Host-1 Host-n
.…
Overlay Connectivity
Infra Policy: [ Overlay ] [ Bridge | Routed ]
Overlays for Inter-Container Traffic
APP1 APP2APP3 APP4
Host-1 Host-n
.…
Any Network Topology and Container Visibility Across Physical Network
Use Case:Private Cloud
Use Case:Private CloudPublic Cloud
Scalable, Secure Microservices Deployments
Microservices Isolated Within the Network
Micro-ServiceWeb
Group
AppGroup
DB Group
Allow Grouping of Containers/Pods
1
Specify Policies Between Groups or from Outside the Network
2
Ability to Provide Granular Micro-Service Security in a Scalable Way
Ability to Support Many Secure Tenants with Individual Policies or Overlapping IP
Multi-TenancySeparation of Policy/Network
Tenant 210.1.1.0/24
Tenant 310.1.1.0/24Tenant 1
10.1.1.0/24
Telemetry and Monitoring
Svc1, Web
Svc1, App
Svc1, Db
Svc2, Web
Svc3, Ux
Live Application Connectivity Graph
Ability to Troubleshoot Micro-Service Application
Roadmap
Cisco and Google: Best of Both Worlds
Networking and Security
Private Cloud Infrastructure
Multicloud Management
Enterprise Class Sales and Support
Cloud Services
Microservices / Containers
API Gateway for Existing Services
Developer Community
Oct 2017: Cisco’s hyper-converged platform, Cisco HyperFlex, will provide a
cloud-ready solution for Kubernetes and containers, and management tools
to enforce security and consumption policies (Q2CY18).
Harmony Kubernetes Architecture
K8s master 1K8s master 1 K8s master nK8s master n
K8s NodeK8s Node K8s NodeK8s Node K8s NodeK8s Node
Persistent Storage
Overlay Network
SecureCommunication
Load Balancer
Load Balancer
Storage External Network
External Communication
HyperFlex IAAS/Storage
Kubernetes
AuthN and AuthZAuthN and AuthZKubernetes Lifecycle ManagementKubernetes Lifecycle Management Monitoring / LoggingMonitoring / Logging
Nexus 9000 Container-based ISSU
• Software runs inside separate Linux container (LXC) for the supervisor and linecard
• A third container is created as part of the ISSU procedure and is brought up as a standby supervisor
• During enhanced ISSU: control plane downtime is < 3-5 seconds. No data plane traffic disruption
• Requires 16G memory on switch• Requires switch reload when enabling enhanced ISSU for the
first time• The supervisor is upgraded first, then linecard is upgraded